Monitoring Bank DDoS Attacks Tough Task For Third Parties

While data is not readily available on the attacks hitting financial institutions, defenders dealing with the incidents say that the attacks are effective and costly

The distributed denial-of-service attacks hitting financial institutions continue to concern many security experts, but looking for evidence of the attacks serves up a meager helping of data points that belies the seriousness of the problem, say infrastructure and security experts.

Website monitoring firm Netcraft, for example, has documented downtime at major banks lasting hours during the past few weeks, but no crippling outages. Internet monitoring provider Renesys has also seen few signs of the attacks. Perhaps the most convincing data comes from Web-outage complaint portal Sitedown.co, which has collected hundreds of bank-outage reports in the past month. Yet there is no way to confirm the reports are true.

While the lack of external evidence has led some commentators to downplay the attacks, the problem is that the organizations that have the most data are not talking about the issues publicly, says Earl Zmijewski, vice president and general manager at Renesys.

"The people who know definitely are the banks, ... and Internet service providers will certainly know when things are not good," he says. "Otherwise, it is very hard unless you are doing very specific monitoring all the way down to the application level ... to the point of being viewed as a nuisance."

Despite last year's vigorous debate on the merits of information-sharing, very little information about the attacks is being passed to the public. The financial institutions are silent on the outages, except when customers are dramatically impacted, and then e-mail alerts are sent out to customers. And Internet-service providers will generally not discuss specific attacks.

Much of the information on the attacks is a mixture of classified and nonclassified data, says Bryan Sartin, director of Verizon's RISK team. Moreover, clients are worried that, if they speak up, they will become more intensely targeted. Verizon, which handles a large portion of Internet traffic, agreed to an extensive, but general, discussion of the attacks, but only about operations that had been made public.

"Internet-service providers, we are the battleground where these things take place," Sartin says. "There are a lot of facts and a lot of detail and a lot of perspective that, of course, we have, having such a significant percentage of the day's IP traffic, but speaking to those in any specifics -- I'm sorry, I can't."

In September, massive floods of data began hitting the online systems of major U.S. financial institutions following a statement calling for denial-of-service attacks. The statement -- made by a self-styled hacktivist group the Cyber Fighters of Izz ad-din Al Qassam -- called for volunteers to continue the attacks until a video that offended many Muslims was taken down. Yet the real attack did not come from the home systems of cyberprotesters, but from hundreds, or perhaps thousands, of content-management systems that had been compromised to form botnets.

Earlier this week, content-delivery network Incapsula detailed its analysis of a compromised server, finding an encoded PHP script designed to take part in an attack and consume the compromised server's processing power and bandwidth to do so.

The attacks, so far, have come in three waves, each kicked off with a Pastebin announcement by the Al-Qassam Cyberfighters. The latest announcement, posted on Jan. 8, promised to keep the attacks going for more than a year. The attacks have had limited visible impact, causing some U.S. banks to become inaccessible for hours: Bank of America had availability issues on Dec. 28, Wells Fargo on Dec. 19 and 20, as well as Jan. 3, and HSBC on Jan. 4, according to Netcraft data.

Such outages, even if they appear minor, are indicators that something significant is going on, says Mike Prettejohn, director of Netcraft. "The best hosting companies are flawless, where one failed request a month might move you down in the list of top-10 hosting companies," he says. "A decent bank would not want to be worse than that."

In fact, the attacks are serious and problematic, says Carl Herberger, vice president of security solutions for application-delivery firm Radware. The company has helped banks mitigate the attacks, but confidentiality agreements prevent the firm from talking about specifics, he says.

The attacks typically ramp up quickly as the attackers determine what level and mix of malicious network traffic will hinder a bank's accessibility. The average attack lasts about 20 days, Herberger says.

While there are typically seven different vectors through which the attackers attempt to hobble banks' networks, three techniques are the most effective. The top of the list are encrypted GET floods, which overwhelm the hardware that decrypts secure sockets layer (SSL) data, he says.

"Very few professionals have been able to handle the volumetric encrypted traffic, so unless you have dealt with it before, you will not be prepared," Herberger says.

The second effective technique is the much-reported Brobot botnet, which uses the large-bandwidth capacity of compromised content management servers to send traffic floods of 30 Gbps or more, overwhelming key pieces of network hardware. Finally, recursive DNS attacks are able to overwhelm critical domain-name system resolution, making the servers hard to reach for consumers.

In one operation, the recipe of attacks is quite similar, but there have been changes between the three major campaigns, Herberger says.

"Our technology needs to get better," he says. "IP-limiting and rate-limiting filters are no longer enough."

Herberger and other security experts interviewed for this article had no evidence whether the attacks were sponsored by nation-states -- much less Iran -- but Herberger said that any link would not be technical but based on human intelligence and likely classified.

Dan Holden, director of the security engineering response team at network-protection firm Arbor, argues that security professionals should be concerned about the tenacity of the attackers. The length of the campaign, and the threats to continue the attacks for more than a year, suggest some level of investment, he says. Moreover, the analysis by Incapsula that suggests that a botnet-for-hire is being used in the attacks, further strengthens arguments that the attackers are being funded.

"Given the fact that they have already been able to do it for months, given the [Incapsula] story about the server in the U.K. ... the question is whether this is hacktivism, or is it something else," Holden says. "At this point, we don't know, but I would believe that these attacks are being funded at some level."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Want to Reduce Application SecurityRisk? Build more Secure Software! Over the years IGÇÖve seen a variety ofapproaches to this problem and have helped many customers on their path towardmore secure applications and reduced risk. ItGÇÖs interesting that you cancategorize most approaches into these three areas: Find and Fix, Protect inPlace, Secure at the Source.

While each of these approachesplays an essential role in reducing application risk, you can get the greatestlong term impact by securing applications at the source. In this approach youare targeting the development process itself, in an attempt to fix the systemicissues which are leading to vulnerabilities in the first place. Discovery anddetection then become a backstop to catch anything that slips through thecracks of a properly designed and implemented system.-á

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.